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CLAIMS 

A method for operating an embedded system covering a 
plurality of technical applications, the operative 
functions of which are performed with a respective 
plurality of application-specific Electronic Control Units 
(ECU) (10, 12, 14, 16, 18), each ECU having separate need 
of resources regarding at least processing and storage 
subsystem, characterized by the steps of: 

a) operating a preselected one of said ECUs as a "donor" 
ECU (18) being provided with predefined storage subsystem 
resources, and 

b) in case of a breakdown of a storage subsystem and/ or 
processing subsystem of an "non-donor" ECU (12) donating 
respective predefined resources to said breakdown ECU (12) . 

The method according to claim 1 further comprising the 
steps of: 

a) operating a preselected one of said ECUs as a "donor" 
ECU (18) with a storage subsystem (32) being increased for 
some predetermined degree, 

b) reserving for at least one non-donor ECU (12) of said 
ECUs a respective predetermined storage area (50) in the 
storage subsystem (32) primarily associated with said 
preselected donor ECU (18) of said plurality of ECUs, 

c) providing to each non-donor ECU (12) an access to a 
respective one of said reserved storage areas (50), 

d) monitoring the operation of said ECUs, 

in case of breakdown of a non-donor ECU (12) storage 
subsystem (24) breakdown: 
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e) transforming addresses associated with said reserved 
storage area (50) to new addresses adapted for being 
accessible by said breakdown ECU (12), 

f) assigning access to said non-donor ECU (12) to a 
respective one of said reserved storage areas (50) by using 
said transformed new address. 

The method according to claim 1, in which a split-cycle 
mode operation is performed in which in one memory 
operation cycle of the donor-ECU (18) the donor ECU and one 
non-donor ECU (12) access the same storage subsystem (32). 

The method according to claim 1, further in case of 
breakdown of a non-donor ECU processor (20) breakdown 
comprising the step of: 

operating said donor ECU (18) in a shared-processor mode, 
in which a predetermined controllable extent of donor-ECU 
processor (28) resources is used to run applications, which 
have run at the breakdown ECU (12) before its breakdown. 

The method according to claim 1, in which the donor ECU 
(18) is a human interface Multimedia unit, and a non-donor 
ECU (12) is a real-time ECU having a considerable lower 
storage need than the donor ECU. 

The method according to claim 1, in which a breakdown is 
defined by errors limitedly resulting in a non-successful 
operation of a subtotal of applications running in an ECU. 

The method according to claim 1, comprising the step of 
reserving said storage area (50) by hardware means, by 
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processor-specific memory management means, operation 
system specific means, or middleware-specific means. 

8. The method according to the preceding claim 3, in which 
write and read accesses are performed permanently to both, 
the respective own donor-ECU storage subsystem (32) and to 
a respective reserved area (50) in the donor-ECU subsystem, 
and said split-cycle operation mode is performed 
permanently. 

9. The method according to claim 8, further comprising the 
step of: 

a) in a split cycle comparing read data of a non-donor ECU 
(12) and respective redundant read data from said 
respective reserved storage area (50) in said donor-ECU 
(18), and 

if read data is not identical, initiating predetermined 
error management. 

10. An embedded system having means for performing the steps of 
a method according to claim 9, comprising a hardware logic 
circuit (40) connectable between a donor ECU (18) and a 
non-donor ECU (12), said hardware logic circuit (40) 
comprising logic means for implementing the donating 
functions . 

11. The embedded system according to claim 10, in which said 
hardware logic circuit (40) comprises 

a) an autonomic system control means (60) implementing 
system faults handling means operatively connected to 

b) a DSSM signal control circuit (64) connected for 
implementing the multiplexing of storage accesses and the 
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address transforming operations, and to 
c) a split-cycle timing generator (70) connected for 
implementing a shared access to said donor ECU storage 
subsystem (32) . 

12. The embedded system according to claim 11 in which a 
multiplexer means is provided within said DSSM signal 
control circuit (64) for assigning access to said non-donor 
ECU to a respective one of said reserved storage areas, 
which is implemented as a FET switch array. 



13. The embedded system according to claim 12 in which said 
autonomic system control means (60) is implemented in a 
programmable ASIC. 



